spoolsv.exe
- File Path:
C:\Windows\system32\spoolsv.exe - Description: Spooler SubSystem App
Hashes
| Type | Hash |
|---|---|
| MD5 | 2709938B30A5689918CA7BA7F0F70F6D |
| SHA1 | 325B9C218A88DFB0E8A5CFD66E0C6C901B2D0D98 |
| SHA256 | 4CCD2F52F39CC72787BB4CAC73BEFC5D27E2E77B14E70B04CF604159D19313B4 |
| SHA384 | 84750483306591D702A5B890CC1A0DC2F8165899D0F9DDEDE7FD981127157E0BA9848C32F3EE5973DCBCAFA62D880DC8 |
| SHA512 | 88A29318D6E57F2ED3C7E51A0F622D536A7AA0108C86B84740DBE1FA5E96CB6BE47F80A9226817BC71E2C397F8E7EAC3381AF7C86180677F5C2683112FB50C31 |
| SSDEEP | 24576:5syPDeBJLDzWBYnuesJLK27QDndkYQQZmPRmtFDJGu4K:5s2DSJLDzWBYnuesJLK27QDndkYQQZm0 |
| IMP | 6D527F52CF7772DC1BF45147E1BD0544 |
| PESHA1 | 47524655B7904625387BD0557A002CF0ECBA955F |
| PE256 | 8FDCA2BF9ABD94FB9814A31D586B4DB9A90E7B3022AD5DC7D6544769E158C61D |
Runtime Data
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\advapi32.dll |
| C:\Windows\System32\bcrypt.dll |
| C:\Windows\system32\DNSAPI.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\system32\spoolsv.exe |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\System32\win32u.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: spoolsv.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/4ccd2f52f39cc72787bb4cac73befc5d27e2e77b14e70b04cf604159d19313b4/detection
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\spoolsv.exe | 79 |
Possible Misuse
The following table contains possible examples of spoolsv.exe being misused. While spoolsv.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | file_delete_win_cve_2021_1675_printspooler_del.yml | Image\|endswith: 'spoolsv.exe' |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | image_load_spoolsv_dll_load.yml | Image\|endswith: 'spoolsv.exe' |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | description: Detects suspicious print spool service (spoolsv.exe) child processes. |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | spoolsv: |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | ParentImage\|endswith: \\spoolsv.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | condition: spoolsv and ( |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | registry_event_add_port_monitor.yml | Image: 'C:\Windows\System32\spoolsv.exe' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_currentcontrolset.yml | Image: 'C:\Windows\System32\spoolsv.exe' |
DRL 1.0 |
| atomic-red-team | T1489.md | This technique was used by WannaCry. Upon execution, if the spoolsv service was running “SUCCESS: The process “spoolsv.exe” with PID 2316 has been terminated.” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1489.md | will be displayed. If the service was not running “ERROR: The process “spoolsv.exe” not found.” will be displayed and it can be | MIT License. © 2018 Red Canary |
| atomic-red-team | T1489.md | | process_name | Name of a process to kill | String | spoolsv.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.010.md | <blockquote>Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.010.md | Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. | MIT License. © 2018 Red Canary |
| signature-base | generic_anomalies.yar | description = “Detects uncommon file size of spoolsv.exe” | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | and filename == “spoolsv.exe” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.